Extract Intel from Report Description
Finished intelligence reports received from various sources may include comprehensive text with IOCs, IOCs, such as IP addresses, hashes, URLs, and more, embedded in the report description. You can use the Extract Intel feature to parse the IOCs from the report description and extract STIX objects. You can then select the extracted STIX objects and ingest them into the platform for subsequent analysis and actioning.
Before you Start
Ensure that you have View Threat Data and Update Threat Data permissions.
Steps
To extract and create intel from the report description, follow these steps:
Go to Main Menu > Collection > Threat Data.
Select a report object and go to Basic Details.
Click Extract Intel in the upper-right corner of the Correlated View of Sources. After the report description is scanned and extraction is completed, you can view a list of extracted IOCs categorized into STIX object types.
Select the objects to be included in the intel submission. You can also add new objects to the parsed object types, and update or remove the extracted objects.
Click Create Intel.
The objects ingested from the report description are associated with the report object. By default, all ingested objects include metadata of the report object, such as TLP, and tags.